A hitchhiker’s guides to the AAI galaxy

During the past year the AARC project and partners have been working to provide solutions to help research collaborations adopt federated access. After a little more than one year in the project, we reflect in a mini-series of blogs on how we have worked together with different e-infrastructure projects in this journey. In this, the first in the series, we focus on AARC’s work with the GN4 (GÉANT) project, which runs the pan-European GÉANT backbone network for research and education.

How should research communities, cloud providers or commercial service providers navigate their way through the galaxy of complex technologies that are used for Authentication and Authorisation Infrastructures (AAIs), in order to find the one that suits their own purposes?

Even the operators of one AAI, who know all its ins and outs, may have limited knowledge about the technical mechanisms, policies and main user needs of the others.

To help familiarise people with the basic concepts of the various technologies, AARC and GN4 produced two complementary guide documents.

AARC worked with GN4 to assess the landscape of technologies, infrastructures and tools used to deploy AAIs, and how we are moving forward together towards a global AAI architecture for research collaboration.

The two documents [see References for the URLs], which were produced before summer 2016, present the state of the art of existing AAIs as well as the underlying technologies used to date.

Why two guides?

For practical reasons it was felt that two different documents was the best approach. For a start this has limited the size of each document, has helped keep the focus on two complementary aspects, and most importantly has shown that collaboration between different projects is possible and effective.

What is the difference between the two documents?

AARC’s document focuses on AAI technologies and products, on their main features and how they could be used as building blocks to build an AAI. AARC’s approach follows a functional model, based on the ‘layers’ identified in the AARC blueprint architecture, as indicated below.

The outcome of the AARC document is an overview of products and technologies for each of the layers, as depicted in the picture below. AARC is also working to publish a set of interactive tables to describe how each of the building blocks in each of the layers meets the identified research requirements.

The goal of GN4’s document was to make it easier for research communities and prospective users of these infrastructures to learn the most basic aspects and characteristics of e-infrastructures’ AAIs (i.e. eduGAIN, EUDAT, EGI, etc), including business models and policy aspects. The picture below shows the e-infrastructures’ AAIs described in the GN4 document and the technologies they built on.

As the picture shows, the general-purpose AAIs use different technologies for authentication (and authorisation) purposes. These are, by default, not compatible with each other. With the exception of the EUDAT AAI, which was designed to support all existing authentication technologies (including social media), token translation services or proxies are used to bridge between AAIs and to enable users with different type of credentials to access resources across different research and e-infrastructures.

Which one should I read then?

It depends very much on the individual needs. Generally speaking, if the aim is to gain an insight on available general-purpose authentication and authorisation infrastructures and technologies in academia, then the GN4 document should be preferred.

If the aim is dive into the technologies and the underlying components of existing AAIs and map them to requirements from research communities, then the AARC document is a better fit.

Next Steps

AARC, in collaboration with the eduGAIN team are working to offer more support for both service providers and research infrastructures that are embarking on this journey.